vpn – Techdirt (original) (raw)

Stories filed under: "vpn"

Apple Continues To Genuflect To Vladimir Putin In The Russian Apple App Store

from the cowards dept

Back when Vladimir Putin first launched his aggressive war of choice on Ukraine, much of the Western world mobilized into action in a way that was fairly impressive. All kinds of companies and brands voluntarily began pulling out of the market, sometimes at the request of Ukraine itself. Much was made of tech firms pulling out of the market or suspending service in Russia at that time, specifically. Apple was one of those companies, suspending hardware sales and some services in Russia, though it kept the Russian App Store live and available.

In the intervening couple of years, however, that voluntary embargo in Russia has softened. And, with the App Store still open, Apple has continued to bend to the will of Vladimir Putin when it comes to policing the App Store for anything the Kremlin decides it doesn’t like.

Apple has removed several apps offering virtual private network (VPN) services from the Russian AppStore, following a request from Roskomnadzor, Russia’s media regulator, independent news outlet Mediazona reported on Thursday.

The VPN services removed by Apple include leading services such as ProtonVPN, Red Shield VPN, NordVPN and Le VPN. Those living in Russia will no longer be able to download the services, while users who already have them on their phones can continue using them, but will be unable to update them.

So, what to think about all of this? Certainly some folks will point out that Apple has no choice but to comply with Russian law while operating the App Store in country. And, sure, that’s true. But operating the store is in and of itself a choice that Apple is making. And Apple is a company that has been particularly vocal when it comes to protecting the privacy and rights of its users. It seems that moral stance includes some kind of a carve out for Russians, however.

Apple can do this, of course. But what it cannot do is accept the cheers for pulling out of Russia and for its customer-privacy focus while also accepting its role as digital policeman for the Kremlin. Pick a lane, you can’t have both. And the company is specifically doing the political bidding of the Russian Big Bad, it should be pointed out.

Despite suspending all sales of its own products in Russia in March 2022, Apple has continued to comply with Russian government regulations and has deleted at least 19 apps from the Russian AppStore since 2023.

At Roskomnadzor’s request, in March Apple removed an app developed by late Russian opposition politician Alexey Navalny’s team that was designed to help Russians choose who to vote for to maximise the impact of the anti-Putin vote, in a move that echoed the removal of another Navalny-designed app in 2021.

So the question is what Apple wants to be. A privacy advocate for its customers that is willing to stand up to government, as it has done in the United States? Or a cynical money-focused corporation willing to take what is essentially political action in favor of government against both opposition forces and its own customers, as it has in Russia.

Pick one, Apple. It cannot be both.

Filed Under: app store, content moderation, russia, vpn
Companies: apple, nordvpn, protonvpn

Cops Raid Swedish VPN Provider Only To Find Out There’s No ‘There’ There

from the oh-no-the-things-aren't-even-there dept

There are few things I enjoy writing about more than cops who feel waving around a piece of paper will ensure they can get what they want. I’ve handled a few of these stories before, most of them centered on Signal, the little messaging service that could — one that does not collect user data and would rather exit the marketplace than subject itself to encryption-breaking government mandates.

So, it always gives me pleasure to learn that cops armed with court orders approached a privacy oriented tech company only to find out the stuff they wanted didn’t actually exist at the place they searched. Due diligence is a thing, investigators. Your boilerplate is obviously false if you’ve claimed (based on “training and expertise“) that the place you want to search contains the information you wish to obtain.

That’s the case here. A Swedish VPN provider was raided by local law enforcement, but was unable to produce any of the information officers were searching for… something officers might have realized prior to the search if they’d bothered to read the terms of service. Here’s Michael Kan with the details for PC World:

The company today reported that Swedish police had issued a search warrant two days earlier to investigate Mullvad VPN’s office in Gothenburg, Sweden. “They intended to seize computers with customer data,” Mullvad said.

However, Swedish police left empty-handed. It looks like Mullvad’s own lawyers stepped in and pointed out that the company maintains a strict no-logging policy on customer data. This means the VPN service will abstain from collecting a subscriber’s IP address, web traffic, and connection timestamps, in an effort to protect user privacy. (It’s also why Mullvad VPN is among our most highly ranked VPN services.)

If the cops had run a search of Mullvad’s website before running a physical search of its offices, it might have discovered the stuff they swore would be found there actually wouldn’t be found on Mullvad’s premises. It’s not like it’s that difficult to find:

There is a law to collect user data in India and other countries. Does this affect Mullvad?
Mullvad does not collect user data. Mullvad is based in Sweden and none of the Swedish regulations (https://mullvad.net/help/swedish-legislation/) can force VPN providers to secretly collect traffic-related data. We also have no servers, infrastructure or staff in India.

In other words, bring all the law you want, but in the end:

Raid if you want. But you can’t have what providers like Mullvad are unwilling to collect. In the end, you’ve done nothing more than make some noise and embarrass yourself. It’s all there in the Mullvad FAQ, including the fact that Mullvad performs no logging of user activity. If your investigation leads you to providers like Mullvad, it’s a dead end. Look elsewhere.

This policy isn’t in place because Mullvad wants to protect criminals. It’s in place because people all over the world deserve protection from government overreach. That criminals may benefit from policies like these doesn’t make these policies bad, it just makes it more difficult for abusive governments to engage in third-party-enabled surveillance.

And the long history here shows Mullvad isn’t a home for criminals. It’s just an extremely well-run VPN provider:

“Mullvad has been operating our VPN service for over 14 years. This is the first time our offices have been visited with a search warrant,” the company added.

You know who is in the best position to stop local law enforcement officers from embarrassing themselves? LOCAL LAW ENFORCEMENT. Maybe read the ToS and FAQ at the site you’re planning to raid before you approach a court with a bunch of assumptions and half-truths to secure a fruitless warrant demanding companies turn over information they don’t retain. Doing otherwise means looking bad at your job (at best) and authoritarian (at worst). If cops want to regain the respect and trust they swear they’ve always enjoyed in the past, the first thing they can do is actually do the investigative parts of investigations. That way they won’t look ridiculous when they go marching out of a tech company’s offices with fuck all in their hands.

Filed Under: logs, privace, sweden, vpn, warrant
Companies: mullvad

VPN Providers Remove Servers From India In Wake Of New Data Collection Laws

from the terrified-of-privacy dept

Mon, Sep 26th 2022 05:37am - Karl Bode

VPN providers remain a primary target of governments around the world (authoritarian leaning and otherwise) that don’t much like their citizens chatting privately or avoiding government surveillance. We watched it happen in Russia, where strict new data collection and retention rules resulted in a mass exodus of VPN providers (the ones that are actually dedicated to privacy and security, anyway).

VPN crackdowns are also occurring in purported democracies like India, after the government passed new cybersecurity rules requiring that VPN operators collect user names, email addresses and IP addresses, store it for five years, and furnish it to authorities on demand.

Since that defeats a major justification for even using a VPN and creates obvious legal headaches, VPN providers have been pulling their servers out of India over the last few months. This week they were joined by Proton VPN, which also says it’s moving their India-based servers out of the country. They are, however, using smart routing servers to dole out Indian IP addresses:

Today, we’re removing our VPN servers in India to protect the privacy of our community due to India’s new surveillance law. However, we’ve rolled out smart routing servers to still give you an Indian IP address.

Read @andyyen’s interview with @WSJ: https://t.co/5iIy1Di3mV

— Proton VPN (@ProtonVPN) September 22, 2022

Proton AG Chief Executive Andy Yen discussed the decision in a Wall Street Journal in the interview:

“It’s going to have a chilling effect. I find it really sad that the world’s largest democracy is taking this path,” Mr. Yen said. “On paper India is supposedly taking a different path from China and Russia,” where similar rules are in place, he said.

Granted the VPN industry isn’t quite what it used to be. There’s a laundry list of providers that don’t actually adhere to their promises of no logging or data collection anyway. But for those that actually care about security and privacy, India’s crackdown on an essential security and privacy tool, combined with harsh crackdowns on propaganda researchers and activists, is raising no shortage of red flags.

The company had more to say about the decision in this blog post, calling India’s crackdown “against everything we stand for.”

Filed Under: encryption, india, privacy, security, surveillance, vpn
Companies: proton ag

Lawmakers Push FTC To Crack Down On Sleazy VPN Industry

Wed, Jul 20th 2022 10:38am - Karl Bode

Given the seemingly endless privacy scandals that now engulf the tech and telecom sectors on a near-daily basis, many consumers have flocked to virtual private networks (VPN) to protect and encrypt their data. One study found that VPN use quadrupled between 2016 and 2018 as consumers rushed to protect data in the wake of scandals, breaches, and hacks.

Unfortunately, many consumers are flocking to VPNs under the mistaken impression that such tools are a near-mystical panacea, acting as a sort of bulletproof shield that protects them from any potential privacy violations on the internet. Not only is that not true (ISPs, for example, have a universe of ways to track you anyway), many VPN providers are even less ethical than privacy-scandal-plagued companies or ISPs.

Last week, Congresswoman Anna Eshoo and Senator Ron Wyden wrote a letter to the FTC urging it to take a closer look at the increasingly dodgy behavior in the VPN sector:

“In December 2021, Consumer Reports (CR) found that 75 percent of leading VPN providers misrepresented their products and technology or made hyperbolic claims about the protection they provide users on their websites, such as advertising a ‘military-grade encryption’ which doesn’t exist. Advocacy groups have also found that leading VPN services intentionally misrepresent the functionality of their product and fail to provide adequate security to their users. We’re highly concerned that this deceptive advertising is giving abortion-seekers a false sense of security when searching for abortion-related care or information, putting them at a higher risk of prosecution.”

It’s a good segment for the FTC to take a closer look at given the agency’s mandate over “unfair and deceptive” practices. Granted this is the United States where misleading consumers is a sport, and the FTC is tasked with overseeing everything from bleach label accuracy to auto mechanic scams. So given how much is on its plate, it’s not clear whether they’ll actually crack down on dodgy VPNs anytime soon.

After a repeated few years where VPN providers were found to be dodgy or tracked user data when they claimed they didn’t, professionals have shifted their thinking on recommending even using one.

While folks requiring strict security over wireless may still benefit from using a reputable VPN provider, experts say the landscape has changed dramatically in the last decade. Improvements in the overall security of ordinary browsing (bank logins, etc.), plus the risk of choosing the wrong VPN provider, means that, in many instances, people may just be better off without one.

Filed Under: anna eshoo, ftc, privacy, ron wyden, scams, vpn

Hackers Gained Access To T-Mobile VPNs, Customer Service, And Source Code

from the you'r-e-not-very-good-at-this dept

Tue, Apr 26th 2022 06:28am - Karl Bode

U.S. wireless company T-Mobile hasn’t had what you’d call a stellar track record on privacy or security. Last year, the company was forced to acknowledge that hackers had obtained the personal details (including social security numbers) of more than 53 million T-Mobile customers, the sixth time the company had been meaningfully compromised in as many years.

Last week, the company was forced to acknowledge that the Lapsus$ hacking group stole T-Mobile’s source code in a series of breaches that took place in March. While no consumer data was obtained (that we know of; these breaches always wind up being much worse than originally acknowledged), hackers obtained source code on numerous company projects thanks (in part) to human engineering:

The logs indicate LAPSUS$ had exactly zero problems buying, stealing or sweet-talking their way into employee accounts at companies they wanted to hack.

Several teen members of the group were arrested in London last month. The group was one of several hacking organizations that had easily targeted T-Mobile to engage in SIM swapping or SIM hijacking, the act of bribing employees to help them port a user’s cell number right out from beneath them, opening the door to all kinds of surveillance and identity or cryptocurrency theft.

SIM hijacking has become a big enough problem in recent years to gain the attention of prominent lawmakers like Senator Ron Wyden. Though this only occurred after years of consumer complaints and several major lawsuits against T-Mobile by major cryptocurrency investors who say they lost millions to the scams.

Public Telegram chat logs (a major reason for the group’s unraveling) document how it obtained T-Mobile VPN credentials, had access to numerous T-Mobile employee accounts and Atlas, a powerful internal T-Mobile tool used for managing customer accounts. The group also (unsuccessfully) tried to use their access to compromise T-Mobile accounts associated with the FBI and Department of Defense.

While again, this didn’t include the group gaining access to consumer accounts (that we know of), it’s still an ugly look for T-Mobile, and likely could have set the stage for other, successive intrusions. Granted this is all before mentioning that T-Mobile has also repeatedly made headlines over the last few years thanks to its over-collection of consumer location data it similarly failed to adequately secure.

Filed Under: consumer privacy, department of defense, fbi, hacking, lapsus$, privacy, sim hijacking, sim swapping, telecom, vpn
Companies: t-mobile

Researchers Again Show How Major VPNs Quietly Undermine User Security

from the first-do-no-harm dept

Thu, Apr 21st 2022 06:28am - Karl Bode

Given the seemingly endless privacy scandals that now engulf the tech, telecom, and adtech sectors on a near-daily basis, many consumers have flocked to virtual private networks (VPN) to protect and encrypt their data. One study found that VPN use quadrupled between 2016 and 2018 as consumers rushed to try and protect themselves in the wake of scandals, breaches, and hacks.

A Consumer Reports study late last year took a look at 16 top VPN providers, and found that the majority of them misrepresented their products or their data retention practices, and many of the companies actually put consumer privacy at greater risk. Only a quarter of the VPNs looked at clearly indicated how long they retain user browsing and other data.

Other VPNs simply don’t provide particular stellar security, despite marketing claiming that’s the entire reason they exist. For example, Surfshark, TurboVPN, Sumrando VPN, and several other VPN providers were recently accused of installing a trusted root certificate authority (CA) cert on user devices, often without user knowledge or approval.

This risky root certificate opens the users of these VPNs to increased risk of man in the middle or other attacks:

The installation of an additional root CA cert potentially undermines the security of all your software and communications. When you include a new trusted root certificate on your device, you enable the third-party to gather almost any piece of data transmitted to or from your device.

Plus, an attacker who gets hold of the private key that belongs to a trusted root certificate authority can generate certificates for his own purposes and sign them with the private key.

For consumers, determining what VPN provides useful security and what VPN is a privacy and security dumpster fire isn’t easy, especially given how so many VPN reviews are little more than affiliate kickback blogspam. So while quality VPNs are still definitely useful, experts increasingly point out that unless you know what you’re buying and really need the protection, they’re often just not worth it.

Filed Under: consumers, privacy, privacy scandals, root cert, vpn

Torguard Blocks All U.S. BitTorrent Traffic After Entertainment Industry Lawsuit

from the whac-a-mole dept

Wed, Mar 16th 2022 01:43pm - Karl Bode

Over the last few years, the entertainment industry and big copyright have ramped up a war against VPN providers here in the U.S., culminating in a lawsuit against VPN provider Torguard by nearly two-dozen movie studios. The same studios had demanded $10 million in damages from another VPN provider, LiquidVPN, earlier last year.

In both cases the accusations are the same: that the companies are encouraging copyright violations because some users use VPNs to disguise the trading of files over BitTorrent (helping them dodge both ISP and entertainment industry monitoring and DMCA warnings).

Of course not all VPN users are using BitTorrent to seed and distribute copyrighted files, but in fights like these, nuance is generally the first casualty. Giant files, including a significant amount of data being shared by the Internet Archive, are also routinely traded on the network.

Torguard has announced in a statement on its website that it will be blocking all BitTorrent traffic on its servers and network in the U.S. starting immediately. 90 percent of the statement involves trying to assuage consumers about the company’s reputation in the wake of the decision:

Operating a VPN provider requires a great deal of trust from consumers and for that reason TorGuard’s owner and parent company make no effort to hide behind offshore entities. We operate transparently within the USA as it offers our clients the strongest consumer privacy protections with no mandatory data logging requirements. TorGuard’s customer base has never been sold or acquired and after ten years in business we are still managed by the original founder who is willing to stake their personal reputation on every decision the company makes.

VPN Unlimited and VPN.ht also recently agreed to block all BitTorrent traffic on U.S. servers after industry pressure.

Bleeping Computer was the first to notice that the company had struck a settlement with the studios. Given that studios have been demanding that VPN providers log and store user traffic behavior, Torguard’s clearly worried the decision will cause an exodus of customers who specifically use a VPN to avoid being tracked for reasons that often go beyond copyright infringement.

Granted Torguard still operates VPN servers in over 50 countries, so users who were previously using U.S.-based Torguard servers can presumably just connect to any one of those instead, albeit with a likely performance hit. The company had filed a motion to dismiss the case with a Florida court last October.

Filed Under: bittorrent, copyright, lawsuit, movies, network, piracy, vpn
Companies: torguard

The VPN Is On Everybody's Shitlist After Years Of Scammy Providers And Empty Promises

from the it's-not-magic dept

Thu, Jan 6th 2022 01:57pm - Karl Bode

The high number of scammy providers and overall rise in encryption appears to have turned the public sentiment against virtual private network (VPN) VPNs, and whether most consumers actually even need one. As privacy scandals and hacks grew over the last decade, VPNs quickly emerged as a sort of mystical panacea, that could protect you from all harm on the internet. Of course, this resulted in a flood of VPN competitors who were outright scams, made misleading statements about what data is collected, or failed to protect consumer data.

The end result is a new trend in the press where about once a month we get a new story informing you that you probably don’t actually need a VPN. NBC News was the latest last week, pointing out that VPNs aren’t the panacea many people seem to assume:

“Most commercial VPNs are snake oil from a security standpoint,? said Nicholas Weaver, a cybersecurity lecturer at the University of California, Berkeley. ?They don?t improve your security at all.”

Scammy VPN providers are a major reason for the shift. A Consumer Reports study last month took a look at 16 top VPN providers, and found that the majority of them misrepresented their products or their data retention practices, and many of the companies actually put consumer privacy at greater risk. Only a quarter of the VPNs looked at clearly indicated how long they retain user browsing and other data. The gold rush and regulatory apathy created an environment where the industry’s floorboards rotted out below it, creating products that actually put consumer privacy and security at greater risk.

Granted simple technical innovation is another reason why the VPN is no longer deemed essential. Most browsers implemented HTTPS, making the dreaded (and frankly often unlikely) scenario whereby a nearby coffee shop hacker hijacks the entirety of your finances no longer as much of a threat. There’s also (much to the chagrin of total surveillance fans in intelligence and law enforcement) greater encryption overall, and a parade of browser extensions and plugins that can help provide additional security. Now, you’re far more likely to be subject to a basic human engineering phishing attack, which a VPN won’t help with:

“Users now need to worry far less about being hacked by a fellow coffee shop patron than by a hacker simply sending an email from anywhere around the world to trick them into giving up their passwords and other sensitive information, she said.

Hackers ?would likely do a phishing attack on you before they would walk into a cafe with free Wi-Fi,? Hancock said. ?Sending people nefarious emails, it?s much easier to do that kind of campaign. Those have been tried and true, unfortunately,? she said.”

That’s not to say VPNs don’t still have their function. The technology is still an essential security layer for governments, corporations, or others dealing with extremely sensitive information. But for many ordinary consumers, they’re more trouble than they’re worth, in no small part thanks to an industry that completely lost its soul at the data collection and monetization trough.

Filed Under: encryption, overhype, scams, security, vpn

Latest VPN Security Scandals Show (Yet Again) That VPNs Aren't A Panacea

from the not-a-magic-bullet dept

Wed, Jul 22nd 2020 06:40am - Karl Bode

Usually, consumers are flocking to VPNs under the mistaken impression that such tools are a near-mystical panacea, acting as a sort of bullet-proof shield that protects them from any potential privacy violations on the internet. Not only is that not true (ISPs, for example, have a universe of ways to track you anyway), many VPN providers are even less ethical than privacy-scandal-plagued companies or ISPs.

The latest case in point: a number of VPN providers who claim to offer “zero logging” protection were found to have not only been tracking a laundry list of user behaviors online, but doing a piss poor job securing said data. Kicking it off, Comparitech’s Bob Diachenko recently discovered 894 GB worth of of user data in an unsecured Elasticsearch cluster belonging to UFO VPN, a provider whose privacy policy informs users that they aren’t tracked as they travel around the internet. That wound up being, you know, not even remotely true:

“Hong Kong-based VPN provider UFO VPN exposed a database of user logs and API access records on the web without a password or any other authentication required to access it. The exposed information includes plain text passwords and information that could be used to identify VPN users and track their online activity.”

Again, “VPN” should not be automatically associated with “secure,” and the majority of these companies simply aren’t particularly trustworthy. Just ask vpnMentor, which discovered last week that an entirely different group of “no logging” free VPN providers had left more than a terabyte of private user data openly exposed online without a shred of protection:

“The vpnMentor research team, led by Noam Rotem, uncovered the server and found Personally Identifiable Information (PII) data for potentially over 20 million VPN users, according to claims of user numbers made by the VPNs.

Each of these VPNs claims that their services are ?no-log? VPNs, which means that they don?t record any user activity on their respective apps. However, we found multiple instances of internet activity logs on their shared server. This was in addition to the PII data, which included email addresses, clear text passwords, IP addresses, home addresses, phone models, device ID, and other technical details.”

The irony of consumers (justifiably) fearing for their security in the wake of massive privacy scandals, only to stumble into the arms of “security companies” that are even worse on security and privacy is just very 2020. For many of these fly by night operations, the VPN itself is just security theater, and in some instances you’re actually probably better off with the devil you already know:

I don't use a VPN because I'd rather Comcast aggregate my data than some dude wearing a dolphin onesie in his basement in Zurich.

— Swift?nSecurity (@SwiftOnSecurity) April 18, 2017

That’s not to say that VPNs don’t certainly have their use, but folks need to exercise some good judgement and spend a little time reading and comparing recommendations from respected outlets before putting their behavior data into the hands of total randos half a world away.

Filed Under: privacy, security, vpn

Russia Expands Site Blocking To VPNs

from the watch-out dept

Over the last few years, Russia has been one of the most aggressive countries in using claims of copyright infringement to push for full site blocking at the ISP level. Of course, that has resulted in tens of thousands of innocent sites getting blocked (collateral damage!), not to mention a corruption scandal and… no meaningful decrease in piracy. Apparently, the answer for the Russians: head deeper into the infrastructure to push site blocking even further.

Now, apparently, beyond just demanding ISPs engage in massive site blocking, various VPNs have been ordered to start blocking full sites as well.

During the past few days, telecoms watch Roscomnadzor says it sent compliance notifications to 10 major VPN services with servers inside Russia ? NordVPN, ExpressVPN, TorGuard, IPVanish, VPN Unlimited, VyprVPN, Kaspersky Secure Connection, HideMyAss!, Hola VPN, and OpenVPN.

The government agency is demanding that the affected services begin interfacing with the FGIS database, blocking the sites listed within. Several other local companies ? search giant Yandex, Sputnik, Mail.ru, and Rambler ? are already connected to the database and filtering as required.

You can understand how this came about: as site blocking gets more popular, more people sign up for VPNs that allow them to get around local censorship and access content as before. However, it appears the Russians are trying to stop that as well. While not quite as bad as when China started banning VPNs completely, this still represents quite a threat to securely surfing the internet.

I was actually in Moscow a few years ago, very briefly, to speak on a panel, and I came armed with three separate VPN services to (hopefully?) stay safe and be able to tunnel out of the Russian internet. That was well before the big crackdown, however, and it must be more and more difficult to use the internet safely there. We’ve also discussed Russia’s supposed plans to test disconnecting from the internet — and it might not need to do much if it continues to reach deeper and deeper into the internet ecosystem to make it harder and harder to use the internet safely and securely.

And, of course, as Professor Annemarie Bridy notes, none of this is really about copyright infringement. This is entirely about authoritarian control of the internet and censorship:

The censorship machines that we build for copyright enforcement are the same ones authoritarians use to control dissent. Once the infrastructure is in place… https://t.co/cpsmj6kbSS

— Annemarie Bridy (@AnnemarieBridy) March 28, 2019

Indeed, remember a few years back when the Russian government used questionable claims of copyright infringement to intimidate government critics? The US’s infatuation with copyright has handed a tool of out and out censorship to authoritarian leaders, who can censor freely while insisting they’re doing so to help American copyright corporate interests.

Filed Under: internet freedom, isp, russia, site blocking, vpn